Be careful what you ask for (and maintain) about Colorado residents…especially if you don’t have the proper data security policies in place. On September 1, 2018, Colorado’s new privacy law, HB 18-1128, will go into effect, imposing new requirements on any business or government entity that maintains, owns, or licenses personal identifying information about Colorado residents.

The new law imposes three key requirements on businesses subject to the rule:

Reasonable security procedures and practices must be implemented that are proportionate to the nature of the personal identifying information maintained and the nature and size of the business’s operations.

Written policies for thedestruction and proper disposal of paper and electronic documents containing personal identifying information must be developed.

Breach notification procedures must be followed, including adhering to a 30-day time period by which notification must be completed.

Personal information is defined broadly under the new law to include a resident’s first name or first initial and last name (e.g., Jane Doe or J. Doe), in combination with one of the following: medical information; health insurance identification number; biometric data; social security number; student, military, or passport identification number; driver’s license number or identification card. Personal information also includes—even when not tied to a resident’s name—a resident’s username or email address with a password or a security question and answer that permits access to an online account, or an account number or credit/debit card number in combination with a security code, access code or password that permits access to an online account.

Business that do not already have written data disposal and security policies should act quickly to ensure that they are compliant with the nuances of the new law. Additionally, businesses need to operationalize procedures designed to ensure that employees and third-party service providers are adhering to privacy policies, since mere “paper compliance” falls short of protecting from the risk and exposure attendant to a breach.

Colorado’s breach notification requirement imposes a more aggressive requirement for notifying affected residents than requirements under the Health Insurance Portability and Accountability Act (HIPAA) and virtually any other U.S. state. A business must provide written notification with certain information to affected residents in the most expedient time possible and without unreasonable delay, but not later than30 days after the point in time when there is sufficient evidence to conclude that a security breach has occurred. For breaches believed to have affected 500 residents or more or 1000 residents or more, businesses must notify the Colorado Attorney General and certain consumer reporting agencies, respectively.

Reflective of the shift towards providing consumers with more control over their personal information, the bill is codified under the Colorado Consumer Protection Act (CCPA), C.R.S. §6-1-713, et seq., and potentially creates a private right of recourse against businesses who misuse a resident’s information. CCPA causes of action oftentimes include assertion of a right to treble (or triple) damages and reasonable attorneys’ fees. Additionally, the Colorado Attorney General may bring civil, or in some cases criminal, actions for violation of the law.

The frequently unforgiving nature of civil monetary penalties imposed by the HHS Office of Civil Rights (OCR) for HIPAA violations should be cautionary. But, not only is there great risk of exposure for unprepared or noncompliant businesses facing enforcement by state and federal regulatory agencies, now more than ever, individual or class action liability seems to be on the horizon. Last, but not least, businesses never envision themselves as “the ones” making headlines about their data breaches…until it happens…and happens quickly.

What if I already comply with other state or federal privacy laws?

The new law indicates that businesses already regulated by other state or federal law are in compliance if adhering to such regulator’s procedures for the protection and disposal of personal identifying information. If the business operates in interstate, international and/or online commerce involving Colorado residents, however, a thorough review of policies and procedures is recommended to ensure that the mandates of the various applicable laws are reconciled against each other. For example, Colorado’s breach notification provision indicates that the time period for notice to affected individuals with the shortest timeframe will control. Healthcare entities which are typically subject to a HIPAA’s 60-day notification requirement need to implement measures to comply with the shortened period under Colorado law.

Recommendations:

Businesses subject to the privacy law should take the following steps, at a minimum, to ensure that they are prepared to comply.

A thorough risk analysis of the type of data maintained should be completed. Entities should know and map the flow of data both internally and outside of their business, whether in paper or electronic format. Inventories of hardware and other electronic portable devices where electronic media is stored should be routinely tracked. Physical security controls should be identified and regularly reinforced.

Employees must be routinely trained in data privacy and security policies and procedures. Handbooks should be updated and it is a good idea to asses whether to require nondisclosure and confidentiality agreements. Appropriate protocols for the destruction and disposal of personal identifying information must be implemented for all employees accessing the sensitive information, especially for departing employees.

Third-party service vendors should be identified and communicated with regularly to obtain reasonable assurances of compliance with the new law. Contractual documents should reflect vendors’ obligation to adhere to data maintenance, destruction and breach notification policies so that a coordinated and rapid response to a security incident is set in motion.

The U.S. Department of Health and Human Services (HHS) recently announced that it is seeking comments regarding potential changes in HIPAA and 42 CFR Part 2,1 with the indication that action to reform the rules will be taken to ease the regulatory burden on the healthcare sector and coordinate better care at a lower cost. These efforts, however, must be juxtaposed with HHS’s continued aggressive enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules2 and many States’ efforts to enact their own heightened data security and breach laws.3

There is no uniform mechanism for determining how best to implement the necessary measures. Legal counsel specializing in data privacy and security law are instrumental resources when ensuring that adequate measures are taken to navigate compliance with state and federal laws, especially in today’s rapidly changing environment.
___________________________________________________________________

1 42 CFR Part 2 is a federal privacy law governing the confidentiality for individuals seeking treatment for substance use disorders from federally assisted programs.2 Of note is a recent ruling by a HHS Administrative Law Judge upholding $4.3 million in civil monetary penalties after The University of Texas MD Anderson Cancer Center reported three separate data breaches involving an unencrypted laptop and USB drives.3 The California legislature’s recent passage of a sweeping consumer privacy law is just one such example.

“…a more positive, relevant resource of information for concerned consumers.”

On July 25, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), unveiled a revised Health Insurance Portability and Accountability Act (HIPAA) Breach Reporting Tool (HBRT) that provides consumers improved access to information on breach data, and also provides greater ease-of-use for organizations reporting incidents. The HBRT makes required reporting information public, such as name of the entity suffering the breach; state where the breach occurred; number of individuals affected; date of the breach; type of breach (e.g. hacking/IT incident, theft, loss, unauthorized access or disclosure); and the location of the breached information (e.g. laptop, paper records, desktop computer). HIPAA also requires health care providers and other covered entities to promptly notify individuals of a breach and, in some cases, notify the media.

HHS Secretary Tom Price, M.D., explained, “HHS heard from the public. . . .To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned citizens.”

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates to prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is that the hackers out there are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;

Implementing processes to guard against and detect malicious software;

Training users on malicious software protection; and

Implementing access controls.

Since ransomware gets into your system and then ties up your data, denying you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Again, HIPAA compliance protects entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of maintaining an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of PHI in violation of the privacy rule there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however, is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?

The Office of Civil Rights for the U.S. Department of Health and Human Services (“OCR”) has launched a new audit initiative to make sure that health care providers are complying with HIPAA. Concerning its initiative, OCR says, “OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.” Providers would be well advised to ensure that they are ready for a HIPAA audit and are in full compliance with the Privacy Rule.

Many employers view wellness programs as a way to lower health care costs and promote healthy behavior. With the growth of workplace wellness programs, new guidance from the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) is timely. HHS/OCR recently issued guidance in the form of frequently asked questions about HIPAA and workplace wellness programs.

The applicability of HIPAA to a workplace wellness program depends on how the program is structured. An employer may sponsor its own wellness program or offer it through the employer’s group health plan. When a workplace wellness program is offered as part of a group health plan, individually identifiable health information collected from wellness program participants is protected under HIPAA because the group health plan is a covered entity under HIPAA. However, a workplace wellness program that is not offered as part of a group health plan but is offered by an employer directly is not covered by HIPAA since HIPAA applies only to covered entities and business associates, but not to employers in their capacity as employers. However, other federal and state laws may apply to the collection and/or use of information by an employer that directly offers a workplace wellness program.

The guidance also addresses whether a group health plan may allow an employer as plan sponsor access to protected health information about participants in a wellness program offered through the plan. If the employer does not administer the health plan, the group health plan can disclose to the employer as plan sponsor only information on which individuals are participating in the health plan and summary health information if requested for the purposes of modifying the plan or obtaining premium bids for coverage.

The guidance states that the group health plan can provide an employer that is a plan sponsor and performs administrative functions on behalf of the group health plan with access to protected health information necessary to perform its plan administrative functions, but only if certain conditions are met. These conditions, which the employer as plan sponsor must include in plan documents and certify agreement to, include the following:

There must be adequate separation between employees who perform plan administrative functions and those who do not;

Protected health information cannot be used or disclosed for employment-related actions or other prohibited purposes under the privacy rule; and

There must be reasonable and appropriate administrative, technical, and physical safeguards to protect any electronic protected health information.

As employers and group health plans begin developing and implementing workplace wellness programs this year, they should review OCR’s recent guidance to ensure that they are in compliance with HIPAA.

Last year Colorado, like many other states, passed new legislation that affects patient requests for medical records and the fees that may be charged for copies of the medical records. House Bill 14-1186, codified at C.R.S. § 25-1-801, with related regulations at 6 CCR 1011-1, Ch. 1, Part 5. The law changes the fees that may be charged for providing copies of records and adds provisions relating to the delivery of records in electronic format. These provisions apply to medical records in the custody of a broad range of health care facilities (see C.R.S. § 25-1.5-103(1)) , including hospitals, nursing homes, assisted living residences, and hospice.

Colorado law requires that health care facilities make medical records available for inspection by a current patient or the patient’s personal representative at reasonable times and upon reasonable notice, except for certain records withheld in accordance with 45 § C.F.R. 164.524(a). A reasonable time for inspection should normally not exceed 24 hours from the date of the request (excluding weekends and holidays) for an inpatient or current resident. The patient or designated representative may not be charged for inspecting the records.

With regard to a discharged patient or resident, a health care facility must make a copy of the record available or make the record available for inspection within a reasonable time from the date of the signed request, normally not to exceed ten days, excluding weekends and holidays. However, if the health care provider or designated representative is not available to acknowledge the request, the facility shall inform the patient of the situation and provide the records as soon as possible. Discharged patients or their representatives cannot be charged for inspecting patient records.

Health care facilities should be aware of certain provisions of Colorado law relating to electronic records and films. Medical records must be delivered in electronic format if the records are requested in electronic format, they are stored in electronic format, and are readily producible in electronic format. Finally, a health care facility must release the original film if a licensed health care professional determines that a copy is not sufficient for diagnostic or other treatment purposes.

The amount that may be charged for medical records varies, depending upon the requesting party. When a patient or a personal representative requests a copy of medical records, the fees are set in accordance with HIPAA. Under HIPAA, a covered entity may charge a patient or a personal representative a reasonable, cost-based fee for providing a copy of medical records; this fee may encompass the cost of copying (including the cost of supplies for and labor of copying) and postage. However, health care facilities may charge third parties fees that are established under state law. Thus, the HIPAA fee limitations do not apply when records are released under other HIPAA-compliant situations, such as requests that are based on an individual’s authorization.

Colorado law establishes the following reasonable fees that a health care facility may charge a third party. The fees may not exceed the following:

For the first ten pages: $18.53

For the next thirty pages (pages 11 through 40): 85 cents per page

Each additional page after page 40 : 57 cents per page (all records except those stored on microfilm) or $1.50 per page (records stored on microfilm)

Actual reproduction costs for each copy of a radiograph

Certification of medical records, if requested: $10.00 fee

Actual postage and electronic media costs if applicable

Applicable taxes

Under certain circumstances, third parties may not be required to pay any fees or a different fee schedule may apply. If a patient record is requested under the Laura Hershey Disability-Benefit Support Act, C.R.S. §§ 24-30-2201 through 2207, the third party may obtain one free copy of the record for the application process or for an appeal or reapplication when required by the disability benefits administrator. Where a statute or rule for a state or local government entity establishes maximum rates, these rates prevail. Finally, the statutory fee schedule does not apply to coroners requesting medical records.

Health care facilities should review their policies on releasing and charging for copies of medical records to ensure that they are in compliance with recent changes in Colorado law.

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency. OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.” OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures. Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization. OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient. HIPAA also allows covered entities to release patient information without authorization for certain public health activities. A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability. Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority. In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law. Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information. A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations. Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies. For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies. Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient. If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences. General information about a patient’s condition includes critical or stable, deceased, or treated and released. OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act. The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency. The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol. Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.

My first follow-up was to ask what personal health information (PHI) the dispensary was holding. After all, in my experience, most dispensaries function on a strict transaction-by-transaction business model. A patient-customer comes in, shows his or her medical marijuana registry card and an ID, and makes the purchase in cash. My colleague reminded me that some dispensaries have opted to go with a “wellness center” approach and offer health care services in addition to medical marijuana, and these expanded service providers sometimes will retain patient records that might fall under the PHI umbrella.

But that isn’t the end of the inquiry. Not all providers are covered entities under HIPAA. In fact, as this helpful chart from the Centers for Medicare and Medicaid Services (CMS) demonstrates, the provider in question must transmit “covered transactions” electronically. A CMS regulation, in turn, defines covered transactions to be “[a] request to obtain payment, and the necessary accompanying information from a health care provider to a health plan, for health care,” or “if there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care.”

Insurance companies don’t pay for medical marijuana, so the first of those doesn’t apply. With respect to the second type of covered transaction, another CMS regulation specifies what will and what won’t be encompassed by the definition. There are a dozen different examples, but it should suffice to say that all of them involve the electronic transmission of health or claims information. And remember what I said above? In my experience, medical marijuana dispensaries aren’t in the business of receiving or sending any health information, electronic or otherwise. They run a storefront and fill requests for medical marijuana on a cash-only basis. In that paradigm, because no health or claim information is transmitted electronically, the dispensary wouldn’t be a HIPAA-covered entity.

That said, if a “wellness center”-model dispensary stores patient health information and transmits it for some reason, then it’s possible that the dispensary might be a covered entity. As noted above, HHS certainly thinks so. But I would guess that such centers are few and far between – and it certainly would behoove individuals considering operating that model of dispensary to think about the ramifications of their decision.

Address

About Gordon & Rees

Gordon & Rees is a national litigation and business transactions firm with more than 800 attorneys across the United States. We deliver maximum value to our clients by combining the resources, size, and scale of a full-service national firm with the responsiveness, flexibility, and local knowledge of a regional firm.